Program correctness

1
Program correctness

• The State-transition model
• The set of global states
• s0 x s1 x x sm
• sk is the set of local states of process k
• S0 ? S1 ? S2 ?
• Each transition is caused by an action by an
  eligible process.
• We reason using interleaving semantics

transition
state
action
action
action
Initial state
2
Correctness criteria

• Safety properties
• Bad things never happen
• Liveness properties
• Good things eventually happen

3
Testing vs. Proof
Testing Apply inputs and observe if the outputs
satisfy the specifications. Fool proof testing
can be painfully slow, even for small systems.
Most testing are partial. Proof Has a
mathematical foundation, and a complete
guarantee. Sometimes not scalable.
4
Testing vs. Proof

• To test this program, you have to test all
  possible interleavings. With n processes p0, p1,
  pn-1, and m steps per process, the number of
  interleavings is
• (n.m)!
• (m!) n
• The state explosion problem

5
Example 1 Mutual Exclusion

• Process 0 Process 1
• do true ? do true ?
• Entry protocol Entry protocol
• Critical section Critical section
• Exit protocol Exit protocol
• od od
• Safety properties
• (1) There is no deadlock
• (2) At most one process enters the critical
  section.
• Liveness property
• A process trying to enter the CS must eventually
  succeed in doing so.
• (This is also called the progress property)

6
Exercise

• program mutex 1
• define busy shared boolean
• initially busy false
• process 0 process 1
• do true ? do true ?
• do busy ? skip od do busy ? skip od
• busy true busy true
• critical section critical section
• busy false busy false
• remaining codes remaining codes
• od od
• Does this mutual exclusion protocol satisfy
  liveness and safety properties?

7
Safety invariants
The mutual exclusion problem. Number of processes
in the critical section 1.
Producer-consumer problem. 0 nP - nC buffer
capacity
producer
consumer
buffer
Absence of deadlock. ?(G0 ? G1 ? G2 ?? Gk) ?
postcondition
Partial Correctness. If the program terminates,
then the postcondition will hold. It does not
say if the program will terminate. (termination
is a liveness property). Total correctness
partial correctness termination.
8
Exercise

• Color the nodes of a graph so that no
• two adjacent nodes have the same color.
• program colorme for process Pi
• define color c ? 0, 1, 2, 3
• Initially colors are arbitrary
• do ?j j ? neighbor(i) (ci cj) ?
• ci ci 2 mod 4
• od
• Is the program partially correct?
• Does it terminate?

p2
p1
p0
p3
9
Liveness properties

• Eventuality is tricky. There is no need to
  guarantee when
• the desired thing will happen, as long as it
  happens..
• Some examples
• The message will eventually reach the receiver.
• The process will eventually enter its critical
  section.
• The faulty process will be eventually be
  diagnosed
• Fairness (if an action will eventually be
  scheduled)
• The program will eventually terminate.
• Absence of liveness cannot be determined from
  finite prefix of the computation

10
Proving safety

• define c1, c2 channel init c1 ??? c2 ??
• r, t integer init r 5, t 5
• program for T
• do t gt 0? send msg along c1 t t -1
• 2 ? empty (c2) ? rcv msg from c2 t t 1
• od
• program for R
• 3 do empty (c1) ? rcv msg from c1 r r1
• 4 ? r gt 0 ? send msg along c2 r r-1
• od
• We want to prove the safety property P
• The total number of messages in c1 c2 is 10

transmitter
receiver
11
Proving safety

• Let n1, n2 of msg in c1and c2 respectively.
• We will establish the following invariant
• I ? (t 0) ? (r 0) ? (n1 t n2 r 10)
• (I implies P). Check if I holds after every
  action.
• program for T
• do t gt 0? send msg along c1 t t -1
• 2 ? empty (c2) ? rcv msg from c2 t t1
• od
• program for R
• 3 do empty (c1) ? rcv msg from c1 r r1
• 4 ? r gt 0 ? send msg along c2 r r-1
• od

12
Proving liveness
Global state
Global state

• If there is no infinite chain like
• w1 w2 w3 w4 .., i.e.
• f(si) f(si1) f(si2) ..

• S1? S2 ? S3 ? S4 ?
• ? f ? f ? f ? f
• w1 w2 w3 w4
• w1, w2, w3, w4 ? WF
• WF is a well-founded set whose elements can be
  ordered by

then the computation will definitely terminate!
f is often called a variant function
13
Proof of liveness an example
Clock phase synchronization System of n clocks
ticking at the same rate. Each clock is
3-valued, i,e it ticks as 0, 1, 2, 0, 1, 2 A
failure may arbitrarily alter the clock
phases. The clocks need to return to the same
phase. .
0
1
2
3
n-1
14
Proof of liveness an example

• Clock phase synchronization
• Program for each clock
• (ck phase of clock k, initially arbitrary)
• do ? j j ? N(i) cj ci 1 mod 3 ? ci
  ci 2 mod 3
• ? ? j j ??N(i) cj ? ci 1 mod 3 ?
  ci ci 1 mod 3
• od
• Show that eventually all clocks will return
• to the same phase (convergence), and
• continue to be in the same phase (closure)

0
1
2
3
n-1
15
Proof of convergence

• Let D d0 d1 d2 dn-1
• di 0 if no arrow points towards clock i
• i 1 if a ???pointing towards clock i
• ??n - i if a ??? pointing towards clock i
• 1 if both ? and ??point towards
• clock i.
• By definition, D 0.
• Also, D decreases after every step in the
  system. So the number of arrows must reduce to 0.

0
2
0
2
2
1
1
1
0
1
2
2
2
2
2
Understand the game of arrows